We’re taking on a small number of new builds and rebuilds this quarter. Book a call to see if your project is a fit.

CVE CVE-2026-38431

CVE-2026-38431

Express

Severity: —
CVSS: —CVSS
Published: 2026-05-05
Last modified: 2026-05-05

Description

ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.

References

https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine

Summary

Description

References